ArcSight Core, ArcSight Administration, and ArcSight System Standard Content Guide for ESM 6.8c

HP ArcSight ESM
Software Version: 6.8c
Configuration Monitoring Standard Content Guide
November 17, 2014

Legal Notices
Warranty
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products
and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or
editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
The network information used in the examples in this document (including IP addresses and hostnames) is for illustration
purposes only.
HP ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of
your data is your responsibility. Implement a comprehensive security strategy and follow good security practices.
This document is confidential.
Restricted Rights Legend
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211
and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items
are licensed to the U.S. Government under vendor's standard commercial license.
Copyright Notice
© Copyright 2015 Hewlett-Packard Development Company, L.P.
Follow this link to see a complete statement of copyrights and acknowledgements:
http://www.hpenterprisesecurity.com/copyright
Support
Phone A list of phone numbers is available on the HP ArcSight Technical Support
Page: https://softwaresupport.hp.com/documents/10180/14684/esp-support-
contact-list
Support Web Site https://softwaresupport.hp.com
Protect 724 Community https://protect724.hp.com
Contact Information
HP ESM (6.8c) Page 2 of 98

Contents
Chapter 1: Configuration Monitoring Overview 5
What is Standard Content? 5
Standard Content Packages 7
Configuration Monitoring Content 8
Chapter 2: Installation and Configuration 9
Installing the Configuration Monitoring Package 9
Modeling the Network 10
Categorizing Assets 11
Configuring Active Lists 11
Ensuring Filters Capture Relevant Events 12
Configuring Rules 12
Configuring Notification Destinations 13
Configuring Notifications and Cases 13
Scheduling Reports 13
Configuring Trends 13
Chapter 3: Configuration Monitoring Use Cases 15
Assets 16
Assets Resources 16
Configuration Changes Overview 22
Configuration 22
Configuration Changes Overview Resources 22
Device Configuration Changes 26
Device Configuration Changes Resources 26
Hosts and Applications Overview 40
Configuration 40
Hosts and Applications Overview Resources 40
Security Application and Device Configuration Changes 51
Devices 51
Security Application and Device Configuration Changes Resources 51
User Configuration Changes 66

User Configuration Changes Resources 66
Vulnerabilities 82
Devices 82
Vulnerabilities Resources 82
Send Documentation Feedback 98

Chapter 1: Configuration Monitoring Overview
This chapter discusses the following topics.
What is Standard Content? 5
Standard Content Packages 7
Configuration Monitoring Content 8
What is Standard Content?
Standard content is a series of coordinated resources (filters, rules, dashboards, reports, and so on)
that address common security and management tasks. Standard content is designed to give you
comprehensive correlation, monitoring, reporting, alerting, and case management out-of-the box with
minimal configuration. The content provides a full spectrum of security, network, and configuration
monitoring tasks, as well as a comprehensive set of tasks that monitor the health of the system.
Standard content is installed using a series of packages, some of which are installed automatically with
the ArcSight Manager to provide essential system health and status operations. The remaining
packages are presented as install-time options organized by category.
Standard content consists of the following:
l ArcSight Core Security content is installed automatically with the ArcSight Manager and consists
of key resources for monitoring Microsoft Windows, firewall, IPS and IDS, NetFlow, and other
essential security information.
l ArcSight Administration content contains several packages that provide statistics about the
health and performance of ArcSight products.
n ArcSight Administration is installed automatically with the ArcSight Manager and is essential for
managing and tuning the performance of content and components.
n ArcSight Admin DB CORR is installed automatically with the ArcSight Manager for the CORR-
Engine (Correlation Optimized Retention and Retrieval) and provides information on the health of
the CORR-Engine.
Note: The ArcSight Admin DB CORR content package is installed automatically when you
perform a new ArcSight Manager installation. However package installation is different
during upgrade. If you are upgrading your system from a previous version, check to see if
the package is installed after upgrade. If the package is not installed, install it from the
ArcSight Console.
n ArcSight Content Management is an optional package that shows information about content
package synchronization with the ArcSight Content Management feature. The information

includes a history of content packages synchronized from a primary source to multiple
destinations, and any common issues or errors encountered. You can install this package during
ArcSight Manager installation or from the ArcSight Console any time after installation.
n ArcSight ESM HA Monitoring is an optional package that lets you monitor systems that use the
ESM High Availability Module. You can install this package during ArcSight Manager installation
or from the ArcSight Console any time after installation.
n ArcSight Search Filters is installed automatically with the ArcSight Manager for use in the
ArcSight Command Center. You cannot edit or use these filters in the ArcSight Console. For
information about the search filters, refer to the ArcSight Command Center User’s Guide.
Note: The ArcSight Search Filters content package is installed automatically when you
perform a new ArcSight Manager installation. However package installation is different
during upgrade. If you are upgrading your system from a previous version, check to see if
the package is installed after upgrade. If the package is not installed, install it from the
ArcSight Console.
l ArcSight System content is installed automatically with the ArcSight Manager and consists of
three packages: ArcSight Core, ArcSight Groups, and ArcSight Networks. ArcSight Core and
ArcSight Groups contain resources required for basic security processing functions, such as threat
escalation and priority calculations, as well as basic throughput channels required for out-of-the-box
functionality. The ArcSight Networks package contains the zones that were in the ArcSight Core
package in previous releases, in addition to local and global network resources.
l ArcSight Foundation content (such as Cisco Monitoring, Configuration Monitoring, Intrusion
Monitoring, IPv6, NetFlow Monitoring, Network Monitoring, and Workflow) provide a coordinated
system of resources with real-time monitoring capabilities for a specific area of focus, as well as
after-the-fact analysis in the form of reports and trends. You can extend these foundations with
additional resources specific to your needs or you can use them as a template for building your own
resources and tasks. You can install a Foundation during installation or from the ArcSight Console
any time after installation.
l Shared Libraries - ArcSight Administration and several of the ArcSight Foundations rely on a
series of common resources that provide core functionality for common security scenarios.
Dependencies between these resources and the packages they support are managed by the
Package resource.
n Anti Virus content is a set of filters, reports, and report queries used by ArcSight Foundations,
such as Configuration Monitoring and Intrusion Monitoring.
n Conditional Variable Filters content is a library of filters used by variables in standard content
report queries, filters, and rule definitions. The Conditional Variable Filters are used by ArcSight
Administration and certain ArcSight Foundations, such as Configuration Monitoring, Intrusion
Monitoring, Network Monitoring, and Workflow.
n Global Variables content is a set of variables used to create other resources and to provide
event-based fields that cover common event information, asset, host, and user information, and

commonly used timestamp formats. The Global Variables are used by ArcSight Administration
and certain ArcSight Foundations.
n Monitoring Support Data content is a set of active lists that store mapping information for HTTP
return status code classes, Cisco firewall syslog message types, and encoded logon types.
n Network filters content is a set of filters required by ArcSight Administration and certain ArcSight
Foundations, such as Intrusion Monitoring and Network Monitoring.
Caution: The resources in the ArcSight Core Security, ArcSight Administration, ArcSight DB
CORR, Conditional Variable Filters, Global Variables, and Network Filters content packages are
not locked even though they manage core functionality; HP recommends that you do not delete or
modify these resources unless you are an advanced user who understands fully the resources and
their dependencies.
Standard Content Packages
Standard content comes in packages (.arb files) that are either installed automatically or presented as
install-time options. The following graphic outlines the packages.
The ArcSight Core Security, ArcSight Administration, and ArcSight System packages at the base
provide content required for basic functionality. The common packages in the center contain shared
resources that support multiple packages. The packages shown on top are ArcSight Foundations that
address common network security and management scenarios.

Depending on the options you install, you will see the ArcSight Core Security, ArcSight Administration,
and ArcSight System resources and some or all of the other package content.
Caution: When creating your own packages, you can explicitly include or exclude system
resources in the package. Exercise caution if you delete packages that might have system
resources. Make sure the system resources either belong to a locked group or are themselves
locked. For more information about packages, refer to the ArcSight Console User’s Guide.
Configuration Monitoring Content
The Configuration Monitoring content identifies, analyzes, and remediates undesired modifications to
systems, devices, and applications. These modifications include installing new applications, adding
new systems to the network, anti-virus/network scanner/IDS engine and signature updates, and asset
vulnerability postures. This content helps IT and security staff pinpoint and resolve problems quickly,
and provides essential visibility into the network configuration so you understand the systems you
have, where they are, what they host, and what vulnerabilities they expose.
Windows systems provide ample user and host account modification information. In most cases, if an
adequate auditing level is enabled, you can see modifications to applications, changes to user privilege
levels, system configuration changes, even file access.
Unix-based systems provide less visibility into internal system activity. Because there is little
consistency to what is reported from system to system, it is often not possible to easily identify
actions, such as software installations. In some cases, auditing can be enabled on Unix-based
systems, although the output might be too granular to be useful during analysis.
Other network devices, such as routers and firewalls, can be configured to report software or operating
system updates and provide basic log information that is useful to the Configuration Monitoring content.
This guide describes the Configuration Monitoring content. For information about ArcSight Core
Security, ArcSight Administration, or ArcSight System content, refer to the ArcSight Core Security,
ArcSight Administration, and ArcSight System Standard Content Guide. For information about an
optional ArcSight Foundation, refer to the Standard Content Guide for that Foundation. ESM
documentation is available on Protect 724 (https://protect724.hp.com).

Chapter 2: Installation and Configuration
This chapter discusses the following topics:
Installing the Configuration Monitoring Package 9
Modeling the Network 10
Categorizing Assets 11
Configuring Active Lists 11
Ensuring Filters Capture Relevant Events 12
Configuring Rules 12
Configuring Notification Destinations 13
Configuring Notifications and Cases 13
Scheduling Reports 13
Configuring Trends 13
Installing the Configuration Monitoring Package
The Configuration Monitoring Foundation package is one of the standard content packages presented
as install-time options. If you selected all the standard content packages to be installed at installation
time, the packages and their resources are installed in the ArcSight Database and available in the
Navigator panel resource tree. The package icons in the Navigator panel package view appear blue.
If you opted to exclude a Foundation package during ArcSight Manager installation, the package is
imported into the Packages tab in the Navigator panel automatically, but is not available in the resource
view. The package icon in the package view appears grey.
To install a package that is imported, but not installed:
1. On the Navigator panel Packages tab, navigate to the package you want to install.
2. Right-click the package and select Install Package.
3. In the Install Package dialog, click OK.
4. When the installation is complete, review the summary report and click OK.
The package resources are fully installed to the ArcSight Database, the resources are fully enabled and
operational, and available in the Navigator panel resource tree.

To uninstall a package that is installed:
1. On the Navigator Panel Packages tab, navigate to the package you want to uninstall.
2. Right-click the package and select Uninstall Package.
3. In the Uninstall Package dialog, click OK.
4. The progress of the uninstall displays in the Progress tab of the Uninstalling Packages dialog. If a
message displays indicating that there is a conflict, select an option in the Resolution Options
area and click OK.
5. When uninstall is complete, review the summary and click OK.
The package is removed from the ArcSight Database and the Navigator panel resource tree, but
remains available in the Navigator panel Packages tab, and can be re-installed at another time.
If you do not want the package to be available in any form, you can delete the package.
To delete a package and remove it from the ArcSight Console and the ArcSight Database:
1. On the Navigator Panel Packages tab, navigate to the package you want to delete.
2. Right-click the package and select Delete Package.
3. When prompted for confirmation, click Delete.
The package is removed from the Navigator panel Packages tab.
Modeling the Network
A network model keeps track of the network nodes participating in the event traffic. Modeling your
network and categorizing critical assets using the standard asset categories is what activates some of
the standard content and makes it effective.
There are several ways to model your network. For information about populating the network model,
refer to the ArcSight Console User’s Guide. To learn more about the architecture of the network
modeling tools, refer to the ESM 101 guide.

Categorizing Assets
After you have populated your network model with assets, apply the standard asset categories to
activate standard content that uses these categories.
Asset Category Description
/Site Asset Categories/
Address Spaces/Protected
Categorize all assets (or the zones to which the assets belong)
that are internal to the network with this asset category.
Internal Assets are assets inside the company network. Assets
that are not categorized as internal to the network are considered
to be external. Make sure that you also categorize assets that
have public addresses but are controlled by the organization
(such as web servers) as Protected.
Note: Assets with a private IP address (such as 192.168.0.0) are
considered Protected by the system, even if they are not
categorized as such.
/System Asset Categories/
Criticality/High
Categorize all assets that are considered critical to protect
(including assets that host proprietary content, financial data,
cardholder data, top secret data, or perform functions critical to
basic operations) with this asset category.
The asset categories most essential to basic event processing
are those used by the Priority Formula to calculate the criticality
of an event. Asset criticality is one of the four factors used by the
Priority Formula to generate an overall event priority rating.
/System Asset Categories/
Criticality/Very High
Same as /System Asset Categories/
Criticality/High
You can assign asset categories to assets, zones, asset groups, or zone groups. If assigned to a
group, all resources under that group inherit the categories.
You can assign asset categories individually using the Asset editor or in a batch using the Network
Modeling wizard. For information about how to assign asset categories using the ArcSight Console
tools, refer to the ArcSight Console User’s Guide.
For more about the Priority Formula and how it leverages these asset categories to help assign
priorities to events, refer to the ArcSight Console User’s Guide or the ESM 101 guide.
Configuring Active Lists
The standard content includes active lists. Certain active lists are populated automatically during run-
time by rules. You do not have to add entries to these active lists manually before you use them. Other
active lists are designed to be populated manually with data specific to your environment. After the lists

are populated with values, they are cross-referenced by active channels, filters, rules, reports, and data
monitors to give ESM more information about the assets in your environment.
You can add entries manually to active lists using the following methods. Both methods are described
in the ArcSight Console User’s Guide.
l One by one using the Active List editor in the ArcSight Console.
l In a batch by importing values from a CSV file.
Ensuring Filters Capture Relevant Events
Standard content relies on specific event field values to identify events of interest. Although this
method applies to most of the events and devices, be sure to test key filters to verify that they actually
capture the required events.
To ensure that a filter captures the relevant events:
1. Generate or identify the required events and verify that they are being processed by viewing them
in an active channel or query viewer.
2. Navigate to the appropriate filter, right-click the filter and choose Create Channel with Filter. If
you see the events of interest in the newly created channel, the filter is functioning properly.
If you do not see the events of interest:
a. Verify that the configuration of the active channel is suitable for the events in question. For
example, ensure that the event time is within the start and end time of the channel.
b. Modify the filter condition to capture the events of interest and apply the change.
c. Right-click the filter and choose Create Channel with Filter to verify that the modified filter
captures the required events.
Configuring Rules
Rules trigger only if they are deployed in the Real-Time Rules group and are enabled. All Configuration
Monitoring rules are deployed by default in the Real-Time Rules group and are enabled.
To disable a rule:
1. In the Navigator panel, go to Rules and navigate to the Real-time Rules group.
2. Navigate to the rule you want to disable.
3. Right-click the rule and select Disable Rule.

Configuring Notification Destinations
Configure notification destinations if you want to be notified when some of the standard content rules
are triggered. By default, most notifications are disabled in the standard content rules, so the admin
user needs to configure the destinations and enable the notification in the rules.
Refer to the ArcSight Console User’s Guide for information on how to configure notification
destinations.
Configuring Notifications and Cases
Standard content depends on rules to send notifications and open cases when conditions are met.
Notifications and cases are how users can track and resolve the security issues that the content is
designed to find.
By default, most notifications and create case actions are disabled in the standard content rules that
send notifications about security-related events.
To enable rules to send notifications and open cases, first configure notification destinations as
described in "Configuring Notification Destinations" above, then enable the notification and case
actions in the rules. For more information about working with Rule actions in the Rules Editor, refer to
the ArcSight Console User’s Guide.
Scheduling Reports
You can run reports on demand, automatically on a regular schedule, or both. By default, reports are not
scheduled to run automatically.
Evaluate the reports that come with the content, and schedule the reports that are of interest to your
organization and business objectives. For instructions about how to schedule reports, refer to the
ArcSight Console User’s Guide.
Configuring Trends
Trends are a type of resource that can gather data over longer periods of time, which can be leveraged
for reports. Trends streamline data gathering to the specific pieces of data you want to track over a long
range, and breaks the data gathering up into periodic updates. For long-range queries, such as end-of-
month summaries, trends greatly reduce the burden on system resources. Trends can also provide a
snapshot of which devices report on the network over a series of days.
Configuration Monitoring content includes several trends, some of which are enabled by default. These
enabled trends are scheduled to run on an alternating schedule between the hours of midnight and 7:00
a.m. when network traffic is usually less busy than during peak daytime business hours. These
schedules can be customized to suit your needs using the Trend scheduler in the ArcSight Console.

To disable or enable a trend, go to the Trend tab from the Reports drop-down list in the Navigator
panel, right-click the trend, then select Disable Trend or Enable Trend.
Note: Before you enable a disabled trend, you must first change the default start date in the
Trend editor.
If the start date is not changed, the trend takes the default start date (derived from when the trend
was first installed), and back fills the data from that time. For example, if you enable the trend six
months after the first install, these trends try to get all the data for the last six months, which might
cause performance problems, overwhelm system resources, or cause the trend to fail if that event
data is not available.

Chapter 3: Configuration Monitoring Use Cases
In this section, the Configuration Monitoring resources are grouped together based on the functionality
they provide. The resource groups are listed in the table below.
Resource Group Purpose
"Assets" on the next page "The Assets resources provide information about
systems that have been started, shut down, or
restarted."
"Configuration Changes Overview " on page 22 "The Configuration Changes Overview resources
provide an overview of the current system
configuration, system configuration changes,
and systems with a criticality rating by zone."
"Device Configuration Changes" on page 26 "The Device Configuration Changes resources
provide information about configuration changes
to hosts and applications."
"Hosts and Applications Overview " on page 40 "The Hosts and Applications Overview
resources provide an overview of the
configuration of systems with common
applications, such as email servers and
databases."
"Security Application and Device Configuration
Changes" on page 51
"The Security Application and Device
Configuration Changes resources provide
information about configuration changes to
security applications."
"User Configuration Changes" on page 66 "The User Configuration Changes resources
provide information about user configuration by
identifying and monitoring user accounts and the
hosts/addresses associated with them. This ties
a user to certain IP addresses, MAC addresses,
host-names, zones, and so on. The reports cover
user account additions, modifications to those
accounts, and account removal."
"Vulnerabilities " on page 82 "The Vulnerabilities resources provide an
overview about current vulnerabilities on
systems."

Assets
The Assets resources provide information about systems that have been started, shut down, or
restarted.
Assets Resources
The following table lists all the resources in the Assets group.
Resource Description Type URI
Monitor Resources
User Login
Failures
Trend -
Past Week
This report provides aggregate
information about the user
accounts that experience failed
logins most often during the past
7 days.
Report ArcSight
Foundation/Configuration
Monitoring/Operational
Summaries/Access Tracking/
Top User
Logins -
Last Week
This report provides an overview
of the top users attempting
logins during the past week.
Report ArcSight
Critical
Asset
Startup and
Shutdown
Event Log -
Last Day
This report provides a listing of
the critical system startup and
shutdown events seen during the
past day.
Report ArcSight
Summaries/Asset Restarts/
Critical
Asset
Startup and
Shutdown
Trend
This report displays summary
data from a trend table to provide
a count of how often your critical
systems start up or shut down.
Note: The Critical System
Startup and Shutdown Events -
Daily Trend is not enabled by
default.
Report ArcSight
Asset
Startup and
Shutdown
Log - Last
Week
This report queries a trend table
to retrieve a listing of all system
startup and shutdown events
seen during the past week.
Report ArcSight
Resources that Support the Assets Group

Assets
Restarting
Twice or
More - Last
Week
This report displays a list of
assets that appear to be
restarting twice or more per
week. Depending on the function
of these assets, these events
might indicate a problem and
need to be investigated.
Report ArcSight
Asset
Startup and
Shutdown
Event Log -
Last Day
This report provides a listing of
the system startup and
shutdown events seen during the
past day.
Report ArcSight
Top User
Logins -
Yesterday
This report displays a summary
of the top N user logins that
occurred yesterday and lists the
login counts by user.
Report ArcSight
Library - Correlation Resources
Critical
Host
Shutdown
Detected
This rule detects when a host
with high or very high criticality is
shut down. This rule is a part of
the Configuration Monitoring
content.
Rule ArcSight
Monitoring/
Library Resources
Criticality This is a system asset category. Asset
Category
System Asset Categories
High This is a system asset category. Asset
Category
System Asset
Categories/Criticality
Very High This is a system asset category. Asset
Category
System Asset
Categories/Criticality
User
Account
Login
Attempts
This filter uses ArcSight
categories to choose events that
indicate user login attempts.
These might be successful or
failures.
Filter ArcSight
Monitoring/Detail/Configuration
Changes/User/Access Tracking/
System
Startup
Events
This filter identifies events that
indicate a system has started
up. This is often indicative of a
reboot.
Filter ArcSight
Resources that Support the Assets Group, continued

Failed User
Account
Login
Attempts
This filter uses the ArcSight
event categories to identify failed
user account login attempts.
Filter ArcSight
System
Shutdown
Events
This filter identifies events that
indicate a system has shutdown.
This is often indicative of a
reboot.
Filter ArcSight
Successful
User
Account
Login
Attempts
event categories to identify
successful user account login
attempts.
Filter ArcSight
All Events This filter matches all events. Filter ArcSight System/Core
Most
Common
Account
Logins by
Target
User
(Yesterday)
This query selects events
passed by the Successful User
Account Login Attempts filter.
Query ArcSight
Monitoring/Details/Configuration
Systems
Restarted
Twice or
More - Last
Week
This query checks the system
startup and shutdown trend
table, and retrieves a list of the
systems that have restarted
more than once in the past week.
The query shows the restart
history for each system each
day.
Query ArcSight
Most
Common
Account
Login
Attempts -
Last Day
passed by the User Account
Login Attempts filter.
Query ArcSight

Critical
System
Startup and
Shutdown
Events - By
Zone and
Asset
This query collects summary
data from a trend table to provide
a count of how often your critical
systems startup or shut down.
Note: The Critical System
Daily Trend is not enabled by
default.
Query ArcSight
Most
Common
Account
Login
Attempts
Trend -
Last Week
This query retrieves a listing of
the count of target user account
logins by zone for the last seven
days.
Query ArcSight
System
Startups
and
Shutdowns
This query collects information
about system startup and
shutdown events that occurred
yesterday. The startup events
typically indicate a system
restart, but may not be reliably
matched with shutdown events.
Query ArcSight
Critical
System
Startups
and
Shutdowns
- Trend
Query
This query collects information
about critical system startup and
shutdown events that occurred
yesterday. The startup events
typically indicate a system
restart, but may not be reliably
matched with shutdown events.
Query ArcSight
Failed User
Account
Login
Attempts
(Yesterday)
passed by the Failed User
Account Login Attempts filter.
Query ArcSight
User
Account
Login
Failures -
Weekly
Trend
This query retrieves aggregated
information about failed logins
over the past week from a trend
table.
Query ArcSight

Restart Log
by Zone -
Last Week
This query retrieves a list of all
asset startup and shutdown
events over the past week.
Query ArcSight
Simple
Table
Portrait
This template is designed to
show a table. The orientation is
portrait.
Report
Template
ArcSight System/1 Table
Chart and
Table
Landscape
show one chart and a table. The
orientation is landscape.
Report
Template
ArcSight System/1 Chart/With
Table
Chart and
Table
Portrait
show one chart and a table. The
orientation is portrait.
Report
Template
Table
Most
Common
Account
Login
Attempts -
Daily Trend
This trend collects daily
statistics about User Account
Login Attempts to track the most
frequent user logins.
Trend ArcSight
Monitoring/User Access Tracking/
Asset
Startup and
Shutdown
Events -
Daily Trend
statistics on shutdown and
startup events from your
different assets. The trend query
includes information on the
device product and vendor so
that you can query the trend for
statistics by operating system.
Trend ArcSight
Monitoring/Asset Restarts/
Critical
System
Startup and
Shutdown
Events -
Daily Trend
statistics about critical system
startup and shutdown events.
The startup events typically
indicate a system restart, but
may not be reliably matched with
shutdown events. This trend is a
more focused view (assets
modeled with criticality
categorization) of the Asset
Daily Trend. Note: This trend is
not enabled by default.
Trend ArcSight
Monitoring/Asset Restarts/

User
Account
Login
Failures
This trend collects aggregate
information about failed user
account login attempts. It also
collects other information
including the target zone as well
as the target device vendor and
product.
Trend ArcSight
Monitoring/User Access Tracking/

Configuration Changes Overview
The Configuration Changes Overview resources provide an overview of the current system
configuration, system configuration changes, and systems with a criticality rating by zone.
Configuration
Adjust the value of the TTL Days field in the Assets with Recent Configuration Modifications
active list, if needed. This active list tracks devices and hosts that have had some sort of configuration
modification within the time period specified. The default value is set to a seven day period.
Configuration Changes Overview Resources
The following table lists all the resources in the Configuration Changes Overview group.
Monitor Resources
Configuration
Changes
Overview
This dashboard shows an
overview of the successful
configuration changes for
databases, firewalls, VPNs,
and network devices.
Dashboard ArcSight
Summaries/
Successful
Configuration
Change
This rule detects events with
successful configuration
changes. After this rule
triggers, the target asset and
user information is added to
the Assets with Recent
Configuration Modifications
active list.
Rule ArcSight
Monitoring/
Library Resources
Assets with
Recent
Configuration
Modifications
This active list tracks devices
and hosts that have had some
sort of configuration
modification in the past seven
days.
Active List ArcSight
Monitoring/
Resources that Support the Configuration Changes Overview Group

Last 10
Database
Configuration
Changes
This data monitor shows the
last ten successful database
configuration changes.
Data
Monitor
ArcSight
Summaries/Configuration Changes
Overview/
Last 10
Firewall
Configuration
Changes
last ten successful firewall
Data
Monitor
ArcSight
Overview/
Last 10 VPN
Configuration
Changes
last ten successful VPN
Data
Monitor
ArcSight
Overview/
Last 10
Network
Configuration
Changes
last ten successful
configuration changes on
network devices.
Data
Monitor
ArcSight
Overview/
Standard This field set contains several
fields that are useful at a
glance for selecting events for
inspection. It uses the end
time field for the timestamp.
Field Set ArcSight System/Event Field
Sets/Active Channels
Network
Events
This filter identifies events
with the category object starts
with Network or the category
device group starts with
Network Equipment.
Filter ArcSight
Foundation/Common/Device Class
Filters
VPN Events This filter identifies events in
which the category device
group is VPN.
Filter ArcSight
Filters
Configuration
Modifications
This filter identifies
configuration modifications on
any system or device. This
resource is a part of the
Configuration Monitoring
content.
Filter ArcSight
Monitoring/
Resources that Support the Configuration Changes Overview Group, continued

Network
Configuration
Changes
This filter identifies successful
configuration change events
that match the Network
Events filter.
Filter ArcSight
Changes/Device/Network/
VPN
Configuration
Changes
that match the VPN Events
filter.
Filter ArcSight
Changes/Device/VPN/
Firewall
Configuration
Changes
that match the Firewall Events
filter.
Filter ArcSight
Changes/Device/Firewall/
Successful
Configuration
Changes
This filter identifies events in
which the category behavior is
/Modify/Configuration and the
category outcome is Success.
Filter ArcSight
Changes/
Database
Configuration
Changes
that match the Database
Events filter.
Filter ArcSight
Changes/Device/Database/
Firewall
Events
This filter retrieves events with
the Firewall category device
group.
Filter ArcSight
Filters
Database
Events
with the category object
/Host/Application/Database.
Filter ArcSight
ArcSight
Events
This filter captures all events
generated by ArcSight,
including events generated by
ArcSight SmartConnectors.
These events include system
monitoring and health events,
correlation events from rules,
and data monitors. Note: Data
from devices collected by
SmartConnectors is not
included.
Filter ArcSight System/Event Types

Non-
ArcSight
Events
that are not generated by
ArcSight or ArcSight
SmartConnectors.
Security
Application
and Device
Configuration
Changes
This use case provides
information about the
configuration change on
security applications.
Use Case ArcSight
Monitoring/Configuration
Changes
User
Configuration
Changes
information about user
management.
Use Case ArcSight
Changes
Device
Configuration
Changes
configuration change on host
and applications.
Use Case ArcSight
Changes

Device Configuration Changes
The Device Configuration Changes resources provide information about configuration changes to hosts
and applications.
Device Configuration Changes Resources
The following table lists all the resources in the Device Configuration Changes group.
Monitor Resources
Host
Configuration
Modifications
This dashboard shows
three data monitors that
focus on host
configuration change
events. The two Top
Value Counts
(Bucketized) data
monitors show charts of
the event counts by zone
or the most common
events. The Last N
Events data monitor
shows the last 20 events.
Dashboa
rd
ArcSight Foundation/Configuration
Monitoring/Operational Summaries/
Host
Configuration
Modifications -
Today
This query viewer
displays host related
configuration modification
events since midnight of
the current day.
Query
Viewer
Changes/
Host
Configuration
Modifications -
Yesterday
This query viewer
displays host related
events since midnight of
the previous day.
Query
Viewer
Changes/
Zones by
Configuration
Change Count
Past Week
This report provides a
summary chart and table
to show the zones with
the most configuration
changes within the past
week.
Report ArcSight Foundation/Configuration
Changes/Device/
Resources that Support the Device Configuration Changes Group

Misconfigurati
ons
This resource has no
description.
Changes/Device/Switch/
Misconfigurati
ons
description.
Changes/Device/VPN/
Host
Configuration
Modifications
Summary
summary of the host
activity seen over the
preceding week. Use the
Zone parameter to focus
the report on a certain
zone, and provide a
manageable and useful
data set. This report is
part of the Configuration
Monitoring content.
Misconfigurati
ons
description.
Changes/Device/Router/
Assets with
Configuration
Changes - Last
Day
listing of the assets that
have been modified within
the last day and the users
that made the
modifications. The listing
is sorted first by zone,
then by asset name.
Changes/Device/
Configuration
Changes by
User
This report shows recent
configuration changes
grouped by user and type,
and sorted
chronologically. Use this
report to find all the
made by a specific user.
Changes/Device/Common/
Resources that Support the Device Configuration Changes Group, continued

Database
Errors and
Warnings
database errors and
warnings. A chart shows
the top ten errors and
warnings. A table lists all
the errors and warnings
chronologically.
Host
Configuration
Modifications
by Customer
This report shows the
host configuration
modifications by
customer.
Systems With
Criticality
Ratings by
Zone
This report displays the
address, device zone
name, and names of
assets that are modeled
under the Criticality asset
category.
Changes/Critical Systems/
Assets with
Configuration
Changes -
Past Week
listing of assets that have
been modified within the
last week and the user
that made the
modifications. The listing
is sorted first by zone,
then by asset name.
Changes/Device/
Host
Configuration
Modifications
by OS
host configuration
modifications by operating
system.
Configuration
Changes by
Type
configuration changes,
grouped by type and user,
and sorted
report to find all
configuration changes of a
certain type.
VPN
Configuration
Changes
description.
Changes/Device/VPN/

Router
Configuration
Changes
description.
Switch
Configuration
Changes
description.
Current Asset
Configurations
listing of the assets
modeled in and monitored
by the ArcSight system,
and the current
configuration information
available to the system
regarding those assets.
This report provides
information on the
operating system and the
services running on the
selected set of hosts. For
information about
vulnerabilities, see the
reports in the
Detail/Vulnerabilities
section. This report is part
of the host-specific
content. Note: This report
contains data on the
number of assets defined
by the Row Limit (10,000
by default). Running this
report might affect
performance, especially if
your system contains
several hundred thousand
assets.
Monitoring/Details/

Cisco - IOS
Configuration
Changed
This rule detects an IOS
configuration change.
This rule looks for events
with a Device Event
Class ID of
SYS:CONFIG for Cisco
Routers. This rule only
requires one such event
within one minute. After
this rule triggers, the
agentSeverity event field
is set to medium. This rule
is triggered by events
generated by CISCO
routers.
Rule ArcSight Foundation/Configuration
Monitoring/Detail/Devices/Routers/
Cisco/
Library Resources
Assets with
Recent
Configuration
Modifications
This active list tracks
devices and hosts that
have had some sort of
in the past seven days.
Active
List
Monitoring/
Criticality This is a system asset
category.
Asset
Category
Scanned This is a site asset
category.
Asset
Category
Site Asset Categories
Open Port This is a site asset
category.
Asset
Category
Application This is a site asset
category.
Asset
Category
Operating
System
This is a site asset
category.
Asset
Category
Most Common
Host
Configuration
Change
Events
This data monitor displays
the top ten most common
host configuration
changes. By default, the
data monitor displays a
pie chart.
Data
Monitor
Summaries/Host Configuration
Modifications/

Host
Configuration
Change Event
Counts by
Zone
the top ten zones with
configuration changes. By
default, the data monitor
displays a pie chart.
Data
Monitor
Modifications/
Last 20 Host
Configuration
Modification
Events
the last 20 host
configuration events seen
by the system. Events are
noted by customer,
system, and reporting
device in addition to the
change type information.
Data
Monitor
Modifications/
TargetHost This variable returns
available target
information from an event.
The format of the
information is
targetZoneName. |
<targetHostName> |
<targetAddress>:<target
Port> Information that is
not in the event will not
show a place-holder.
Examples: RFC1918:
192.168.0.0-
192.168.255.255 |
Itwiki.sv.arcsight.com |
192.168.10.20:80
RFC1918: 192.168.0.0-
192.168.255.255 |
192.168.10.30:53
RFC1918: 192.168.0.0-
192.168.255.255:53
192.168.10.30:53
unknown
Global
Variable
ArcSight Foundation/Variables
Library/Host Information

DeviceInfo This variable returns the
device information,
including the device
vendor, the device
product, and the device
version, if available within
the event. The format is
deviceVendor. |
<deviceProduct> or
<deviceVendor> |
<deviceProduct> v.
<deviceVersion>
Global
Variable
Library
VPN Events This filter identifies events
in which the category
device group is VPN.
Filter ArcSight Foundation/Common/Device
Class Filters
Configuration
Modifications
configuration
modifications on any
system or device. This
content.
Filter ArcSight Foundation/Configuration
Monitoring/
Target
Address is
NULL
This filter is designed for
conditional expression
variables. The filter
identifies events where
the target address is
NULL.
Filter ArcSight
Foundation/Common/Conditional
Variable Filters/Host
Target Zone
AND Host are
NULL but
Address is
NOT NULL
in which either the target
zone or target address
field is NULL, but not
both.
Filter ArcSight
Virtual Private
Network
description.
Changes/Device/VPN/

Target Host
Name is NULL
the Target Host Name is
NULL.
Filter ArcSight
Target
Information is
NULL
in which the target zone,
target host name, and
target address fields are
NULL.
Filter ArcSight
All Events This filter matches all
events.
Filter ArcSight System/Core
ArcSight
Events
This filter captures all
events generated by
ArcSight, including events
generated by ArcSight
SmartConnectors. These
events include system
monitoring and health
events, correlation events
from rules, and data
monitors. Note: Data from
devices collected by
included.
Target Port is
NULL
in which the target port
field is NULL.
Filter ArcSight
Device
Version is
NULL
in which the device
product field is NULL.
Filter ArcSight
Variable Filters/Device
All Device
Information is
NULL
in which there is no device
information, meaning that
the device vendor, device
product, and device
version fields are all
NULL.
Filter ArcSight

Device Vendor
OR Product is
NULL
in which the device
vendor or device product
field is NULL, but not
both.
Filter ArcSight
Router This resource has no
description.
Switch This resource has no
description.
Host
Configuration
Modifications
This filter provides a more
focused subset of
events for use when
monitoring or reporting on
host-specific
This filter is a part of the
host-specific
content.
Changes/
Target Zone
OR Host is
NULL
in which either the target
zone or target host name
field is NULL.
Filter ArcSight
Device Vendor
AND Product
are NULL
in which the device
vendor and device product
fields are NULL.
Filter ArcSight
Target Zone
AND Host are
NULL
in which the target zone
and target host name
fields are NULL.
Filter ArcSight
Target Zone is
NULL
the Target Zone is NULL.
Filter ArcSight

Non-ArcSight
Events
events that are not
generated by ArcSight or
ArcSight
SmartConnectors.
Configuration
Changes by
User
VPN configuration
changes grouped by user,
sorted chronologically.
Use this report to find all
the configuration changes
Focused
Report
Changes/Device/VPN/
Configuration
Changes by
Type
VPN configuration
changes grouped by type
(name), sorted
certain type.
Focused
Report
Changes/Device/VPN/
Host
Configuration
Modifications
This query retrieves host
related configuration
modification events since
midnight of the current
day.
Query ArcSight Foundation/Configuration
Changes/
Misconfigurati
ons
description.
Host
Configuration
Modifications
by OS
This query retrieves host
data (restricted by the
Host Configuration
Modifications filter).
Assets with
Configuration
Modifications-
Last Day
This query retrieves a list
of assets that have had
configuration changes in
the last day. The data is
retrieved from the Assets
with Recent Configuration
Modifications active list.
Monitoring/Details/

Router
Configuration
Changes
description.
Systems With
Criticality
Ratings by
Zone
This query returns the
address, device zone
name, and names of
assets that are modeled
under the Criticality asset
category.
Monitoring/Details/Critical
Systems/
Configuration
Changes by
Zone Last
Week Trend
Query
This query retrieves
information about the total
number of configuration
changes that occurred in
your zones over the past
seven days. The events
are counted and grouped
by day and month for ease
of use in a chart or
summary table.
Monitoring/Details/
Host
Configuration
Modifications
on Trend
This query retrieves data
from the Host
Configuration
Modifications trend to
provide a summary of the
host configuration
modification activity. This
query is a part of the
content.
VPN
Configuration
Changes
description.
Changes/Device/VPN/
Database
Errors and
Warnings
(Chart)
count of database errors
and warnings by event
name.
Changes/Device/Database Errors and
Warnings/
Switch
Configuration
Changes
description.

Assets with
Configuration
Modifications-
Last 7 Days
This query retrieves a list
of assets have had
within the last 7 days.
This query checks the
Assets with Recent
Configuration
Modifications active list.
Monitoring/Details/
Misconfigurati
ons
description.
Changes/Device/VPN/
Assets with
Recent
Configuration
Modifications
by Vendor and
Product
This query collects
information about a day's
worth of configuration
changes to your various
assets. The data retrieved
includes information about
the asset affected, the
asset causing the change
(if any), and the vendor
and product information
about the asset that was
changed.
Monitoring/Details/
Configuration
Changes
This query returns all the
changes made to devices.
The query returns the
name, the user, the
device, and the time the
change was made.
Changes/
Host
Configuration
Modifications
Summary
providing a summary of
the host configuration
modification activity for
the Host Configuration
Modifications trend. This
content.
Misconfigurati
ons
description.

Current Asset
Configurations
This query provides a
listing of the assets
modeled in and monitored
by the ArcSight system
and the current
configuration information
available to the system
regarding those assets. It
provides information on
the operating system and
services running on the
selected set of hosts.
Note: This query returns
data up to the Row Limit
(10,000 by default)
assets. Running this
query night affect
performance.
Monitoring/Details/
Host
Configuration
Modifications
by Customer
This query returns host
data (restricted by the
Host Configuration
Modifications filter).
Database
Errors and
Warnings
This query retrieves all the
database error and
warning events. The
query returns the time,
event name, result, user
name, and category
significance.
Changes/Device/Database Errors and
Warnings/
Simple Table
Portrait
This template is designed
to show a table. The
Report
Templat
e
Simple Table
Landscape
Report
Templat
e
Chart and
Table
Landscape
to show one chart and a
table. The orientation is
landscape.
Report
Templat
e
ArcSight System/1 Chart/With Table

Chart and
Table Portrait
portrait.
Report
Templat
e
Host
Configuration
Modifications
This trend provides a
summary of the host
activity.
Trend ArcSight Foundation/Configuration
Monitoring/Asset Configuration
Change Tracking/
Assets with
Recent
Configuration
Modifications
(Daily)
This trend retrieves
changes to assets within
the last day and stores
change itself as well as
who made the change.
Change Tracking/

Hosts and Applications Overview
The Hosts and Applications Overview resources provide an overview of the configuration of systems
with common applications, such as email servers and databases.
Configuration
Categorize the assets in your environment in the following groups (unless the assets are categorized
automatically by vulnerability scanners):
l Site Asset Categories/Business Impact Analysis/Business Role
l System Asset Categories/Criticality
l Site Asset Categories/Business Impact Analysis/Data Role
l Site Asset Categories/Operating System
l Site Asset Categories/Application/Type/Email
l Site Asset Categories/Application/Type/Web Server
Hosts and Applications Overview Resources
The following table lists all the resources in the Hosts and Applications Overview group.
Monitor Resources
Database
Errors
This dashboard shows the
most recent and the top
errors affecting database
applications on the network.
Dashboar
d
Resources that Support the Hosts and Applications Overview Group

Host
Problems
Overview
This dashboard shows
several data monitors that
focus on host problem
events. The two Top Value
Counts (Bucketized) data
monitors show charts of the
event counts by zone or the
most common events. The
Last N Events data monitor
shows the last 20 events.
Dashboar
d
Configuratio
n Changes
by User
and sorted chronologically.
Use this report to find all the
configuration changes made
by a specific user.
Database
Errors and
Warnings
database errors and
warnings. A chart shows the
top ten errors and warnings.
A table lists all the errors and
warnings chronologically.
All Revenue
Generating
Assets
description.
Monitoring/Details/Inventory/Role
s/
Mail Servers This resource has no
description.
s/
Web
Servers
description.
s/
Configuratio
n Changes
by Type
certain type.
Resources that Support the Hosts and Applications Overview Group, continued

Host
Summary by
Business
Role
breakdown of assets by
business role and displays
an overview of the asset
configurations. This report is
Monitoring content.
Monitoring/Executive
Summaries/Overall Host
Configuration/
Host
Configuratio
n Events By
Zone
breakdown of host
configuration events by zone
and displays an overview of
the asset configurations.
This report is part of the
content.
Configuration/
Host
Summary by
Criticality
criticality and displays an
overview of the asset
Monitoring content.
Configuration/
Host
Summary by
Operating
System
summary pie chart showing
the breakdown of assets by
operating system. This chart
and others are combined to
produce an overview of the
asset configurations. This
report is a part of the
content.
Configuration/
Assets with
Applications
This report provides a listing
of all assets that have been
scanned for applications or
that have been categorized
manually with applications.
This report is part of the
content.
Monitoring/Details/Inventory/

Host
Summary by
Data Role
breakdown of assets by data
role and displays an
overview of the asset
Monitoring content.
Configuration/
Library Resources
Email This is a site asset category. Asset
Category
Site Asset
Categories/Application/Type
Data Role This is a site asset category. Asset
Category
Site Asset Categories/Business
Impact Analysis
Criticality This is a system asset
category.
Asset
Category
Business
Role
This is a site asset category. Asset
Category
Impact Analysis
Application This is a site asset category. Asset
Category
Web Server This is a site asset category. Asset
Category
Site Asset
Categories/Application/Type
Operating
System
Category
Revenue
Generation
Category
Impact Analysis/Business Role
Last 10
Database
Errors
the most recent database
error events.
Data
Monitor
Summaries/Database Errors/
Last 20 Host
Problems
last 20 host issues noted by
ArcSight. This data monitor
is used in the Host Problems
Overview data monitor.
Data
Monitor
Summaries/Host Problems Overview/

Top 10
Database
Errors
top ten systems with events
matching the AV - Found
Infected filter (the Category
Device Group starts with
/IDS/Host/Antivirus, the
Category Outcome is
/Failure, and the Category
Behavior is
/Found/Vulnerable).
Data
Monitor
Summaries/Database Errors/
Host
Problem
Event
Counts by
Zone
This data monitor shows
host-specific problems noted
by ArcSight, by zone. By
default this data monitor
displays a pie chart of the top
ten zones by problem event
volume.
Data
Monitor
Most
Common
Host
Problem
Events
top ten most common
problems seen on your
monitored hosts.
Data
Monitor
TargetHost This variable returns
available target information
from an event. The format of
the information is
targetZoneName. |
<targetHostName> |
<targetAddress>:<targetPor
t> Information that is not in
the event will not show a
place-holder. Examples:
RFC1918: 192.168.0.0-
192.168.255.255 |
Itwiki.sv.arcsight.com |
192.168.10.20:80 RFC1918:
192.168.0.0-
192.168.255.255 |
192.168.10.30:53 RFC1918:
192.168.0.0-
192.168.255.255:53
192.168.10.30:53 unknown
Global
Variable
Library/Host Information

DeviceInfo This variable returns the
device information, including
the device vendor, the
device product, and the
device version, if available
within the event. The format
is deviceVendor. |
<deviceProduct> or
<deviceVendor> |
<deviceProduct> v.
<deviceVersion>
Global
Variable
Library
Configuratio
n
Modification
s
configuration modifications
on any system or device.
This resource is a part of the
content.
Monitoring/
Host
Problems
This filter identifies host-
related problems and errors.
This filter is part of the
content.
Target
Address is
NULL
variables. The filter identifies
events where the target
address is NULL.
Filter ArcSight
Target Zone
AND Host
are NULL
but Address
is NOT
NULL
which either the target zone
or target address field is
NULL, but not both.
Filter ArcSight
Target Host
Name is
NULL
events where the Target
Host Name is NULL.
Filter ArcSight

Target
Information
is NULL
which the target zone, target
host name, and target
address fields are NULL.
Filter ArcSight
Database
Errors
where the category device
group is Application, the
category object is
/Host/Application/Database,
and the category
significance is
/Informational/Warning or
/Informational/Error.
events.
Database
Events
/Host/Application/Database.
ArcSight
Events
generated by ArcSight,
including events generated
by ArcSight
included.
Target Port
is NULL
which the target port field is
NULL.
Filter ArcSight
Device
Version is
NULL
which the device product
field is NULL.
Filter ArcSight

All Device
Information
is NULL
which there is no device
information, meaning that the
device vendor, device
product, and device version
fields are all NULL.
Filter ArcSight
Device
Vendor OR
Product is
NULL
which the device vendor or
device product field is NULL,
but not both.
Filter ArcSight
Host
Configuratio
n
Modification
s
This filter provides a more
focused subset of
events for use when
monitoring or reporting on
host-specific configuration
changes. This filter is a part
of the host-specific
content.
Changes/
Target Zone
OR Host is
NULL
which either the target zone
or target host name field is
NULL.
Filter ArcSight
Device
Vendor AND
Product are
NULL
which the device vendor and
device product fields are
NULL.
Filter ArcSight
Target Zone
AND Host
are NULL
which the target zone and
target host name fields are
NULL.
Filter ArcSight
Target Zone
is NULL
events where the Target
Zone is NULL.
Filter ArcSight

Non-
ArcSight
Events
that are not generated by
ArcSight or ArcSight
SmartConnectors.
Configuratio
n Changes
by User
database configuration
changes and lists all the
sorted chronologically. Use
this report to find all the
configuration changes made
by a specific user.
Focused
Report
Configuratio
n Changes
by Type
database configuration
changes and lists all the
changes, grouped by type,
sorted chronologically. Use
this report to find all the
certain type.
Focused
Report
Host
Summary by
Business
Role
This query returns a
Business Role. This query is
a part of the Configuration
Monitoring content.
Configuration/
Host
Summary by
Data Role
Data Role. This query is part
of the Configuration
Monitoring content.
Configuration/
All Revenue
Generating
Assets
description.
s/
Web
Servers
description.
s/
Database
Errors and
Warnings
(Chart)
This query returns the count
of database errors and
warnings by event name.
Changes/Device/Database Errors
and Warnings/

Host
Summary by
Criticality
Criticality. This query is part
Monitoring content.
Configuration/
Assets with
Applications
This report shows all Assets
that have been scanned for
applications or that have
been manually categorized
with Applications. This report
is part of the Configuration
Monitoring content.
Monitoring/Details/Inventory/
Host
Summary by
Operating
System
operating system. This query
is part of the Configuration
Monitoring content.
Configuration/
Configuratio
n Changes
The query returns the name,
the user, the device, and the
time the change was made.
Changes/
Host
Configuratio
n
Modification
s Summary
providing a summary of the
host configuration
modification activity for the
Host Configuration
Modifications trend. This
content.
Mail Servers This resource has no
description.
s/
Database
Errors and
Warnings
This query retrieves all the
database error and warning
events. The query returns
the time, event name, result,
user name, and category
significance.
Changes/Device/Database Errors
and Warnings/

Host
Configuratio
n Events By
Zone
breakdown of host
configuration events by zone
from the Host Configuration
Modifications trend.
Configuration/
Simple
Table
Portrait
show a table. The orientation
is portrait.
Report
Template
Simple
Chart
Portrait
show one chart. The
Report
Template
ArcSight System/1 Chart/Without
Table
Chart and
Table
Landscape
show one chart and a table.
The orientation is landscape.
Report
Template
Table
Host
Configuratio
n
Modification
s
This trend provides a
summary of the host
activity.
Change Tracking/

Security Application and Device Configuration Changes
The Security Application and Device Configuration Changes resources provide information about
configuration changes to security applications.
Devices
The following device types can supply events that apply to the Security Application and Device
Configuration Changes resource group:
l Anti-Virus
l Firewalls
l Intrusion Detection Systems
Security Application and Device Configuration Changes
Resources
The following table lists all the resources in the Security Application and Device Configuration Changes
group.
Monitor Resources
Firewall
Configuration
Changes
description.
Report ArcSight
Update Summary
- Regulated
Systems
target zone name, target
host name, target address,
product, category
outcome, and the sum of
the aggregated event
count from yesterday's
events on assets
categorized as having a
regulation requirement.
Report ArcSight Foundation/Intrusion
Summaries/Anti-Virus
Resources that Support the Security Application and Device Configuration Changes Group

Update Overview
(MSSP)
customer, time, target
zone name, target host
name, target address,
product, category
count of all events related
to virus update information
files for yesterday.
Report ArcSight
Changes/Device/Anti-Virus
Failed Anti-Virus
Updates
This report displays a table
with the anti-virus vendor
and product name as well
as the hostname, zone,
and IP address of the host
on which the update failed.
The time (EndTime) at
which the update failed is
also displayed. This report
runs against events that
occurred yesterday.
Report ArcSight
Failed Anti-Virus
Updates (MSSP)
name, target address, and
device product of all
events in the past 24 hours
that have failed to update
virus information files.
Report ArcSight
Firewall
Misconfigurations
description.
Report ArcSight
Resources that Support the Security Application and Device Configuration Changes Group,
continued

Failed Anti-Virus
Updates -
Regulated
Systems
product, target zone name,
target host name, target
address, and minute
(EndTime) from events
that match the AV - Failed
Updates filter and target
assets that are
categorized in one of the
regulated asset categories
for yesterday.
Report ArcSight Foundation/Intrusion
Failed Anti-Virus
Updates -
Regulated
Systems (MSSP)
customer, device vendor,
device product target zone
name, target host name,
target address, and minute
assets that are
regulated asset categories
for yesterday.
Report ArcSight
Update Summary This report displays a
summary of the results of
anti-virus update activity
by zones since yesterday.
Report ArcSight
Errors Detected
in Anti-Virus
Deployment
hosts reporting the most
anti-virus errors for the
previous day and includes
the anti-virus product, host
details, error information,
and the number of errors.
Report ArcSight
HIDS
Misconfigurations
description.
Report ArcSight
Changes/Device/IDS/
continued

Configuration
Changes by User
Report ArcSight
Update Overview
- Regulated
Systems (MSSP)
customer, target zone
target address, device
vendor, device product,
category outcome, and the
sum of the aggregated
event count from
yesterday's events on
assets categorized as
having a regulation
requirement.
Report ArcSight
Top Infected
Systems
This report displays
summaries of the systems
reporting the most
infections during the
previous day.
Report ArcSight
Configuration
Changes by Type
certain type.
Report ArcSight
NIDS
Misconfigurations
description.
Report ArcSight
Changes/Device/IDS/
Library Resources
Compliance
Requirement
category.
Asset
Category
continued

Network Events This filter identifies events
starts with Network or the
category device group
starts with Network
Equipment.
Filter ArcSight
Filters
Configuration
Modifications
configuration
modifications on any
system or device. This
content.
Filter ArcSight
Monitoring/
Update Events This filter identifies events
related to anti-virus
product data file updates.
Filter ArcSight Foundation/Common/Anti-
Virus
events.
Host IDS This resource has no
description.
Filter ArcSight
Changes/Device/IDS/
ArcSight Events This filter captures all
events generated by
included.
Anti-Virus Events This filter identifies events
device group is
/IDS/Host/Antivirus.
Virus
continued

Network IDS This resource has no
description.
Filter ArcSight
Changes/Device/IDS/
Firewall This resource has no
description.
Filter ArcSight
Identity
Management
Events
in which the Category
Identity Management.
Filter ArcSight
Filters
AV - Found
Infected
This filter identifies all
events where the
Category Device Group
starts with
Category Outcome is
/Success, and the
Category Behavior is
/Found/Vulnerable.
Virus
Firewall Events This filter retrieves events
with the Firewall category
device group.
Filter ArcSight
Filters
AV - Failed
Updates
This filter identifies all anti-
virus update events
(based on the Update
Events filter), where the
Category Outcome is
Failure.
Virus
Non-ArcSight
Events
events that are not
ArcSight
SmartConnectors.
continued

Configuration
Changes by User
firewall configuration
Focused
Report
ArcSight
Configuration
Changes by Type
identity management
grouped by type (name),
of a certain type.
Focused
Report
ArcSight
Changes/Device/Identity
Management/
Configuration
Changes by User
This report displays anti-
virus configuration change
events reported the
previous day. Use this
Focused
Report
ArcSight
Configuration
Changes by Type
network configuration
changes grouped by type
(name), and sorted
certain type quickly.
Focused
Report
ArcSight
continued

Configuration
Changes by Type
name, the user making the
change, device
information, and the time
of the change for anti-virus
events reported the
previous day. Use this
certain type.
Focused
Report
ArcSight
Configuration
Changes by Type
firewall configuration
changes grouped by type,
of a certain type.
Focused
Report
ArcSight
Configuration
Changes by User
network configuration
Focused
Report
ArcSight
Configuration
Changes by User
identity management
grouped by user, and
Focused
Report
ArcSight
Management/
continued

Failed Anti-Virus
Updates
This query identifies the
product, target zone name,
address, and time
Updates filter.
Query ArcSight Foundation/Intrusion
Monitoring/Detail/Anti-Virus
Update Overview
(MSSP)
name, target address,
product, category
count of all events related
to virus update information
files.
Query ArcSight Foundation/Common/Anti-
Virus
Failed Anti-Virus
Updates Chart -
Regulated
Systems
target zone name and the
event count from events
Updates filter.
Virus
NIDS
Misconfigurations
description.
Query ArcSight
Changes/Device/IDS/
Failed Anti-Virus
Updates -
Regulated
Systems
product target zone name,
address, and minute
assets that are
regulated asset
categories.
continued

Top Zones with
Anti-Virus Errors
This query identifies data
from events where the
Category Device Group is
Category Object starts
with /Host/Application, the
Category Outcome is not
/Success, and the
Category Significance
starts with /Informational.
The query returns the zone
and the number of times
the error occurred.
Virus/Errors
Update Summary
- Regulated
Systems
product, category
count from events that
have the category
behavior of
/Modify/Content, the
category object of
/Host/Application, the
category device group of
/IDS/Host/Antivirus, and
target assets that are
regulated asset
categories.
Firewall
Configuration
Changes
description.
Query ArcSight
continued

Failed Anti-Virus
Updates -
Regulated
Systems (MSSP)
name, target address, and
device product for all
virus information files for
any asset categorized with
a regulation compliance
requirement.
Virus
Configuration
Changes
name, the user, the
device, and the time the
change was made.
Query ArcSight
Changes/
Update Summary This query identifies the
product, category
match the Update Events
filter.
Top Infected
Systems
Infected filter (the
starts with
Category Outcome is
/Success, and the
/Found/Vulnerable).
Monitoring/Detail/Anti-Virus/Top
Infected Systems
continued

Firewall
Misconfigurations
description.
Query ArcSight
Infected Systems This query identifies data
Infected filter where the
starts with
Category Outcome is
/Success, and the
/Found/Vulnerable.
Monitoring/Detail/Anti-Virus/Top
Infected Systems
Failed Anti-Virus
Updates (MSSP)
Name, target address, and
device product for all
virus information files.
Virus
Update Overview
Chart (MSSP)
customer name, target
zone name, category
filter.
Virus
continued

Anti-Virus Errors This query identifies data
/Success, and the
priority, vendor
information, host
information, error name,
and the number of times
the error occurred.
Virus/Errors
Failed Anti-Virus
Updates Chart
(MSSP)
customer name and the
Updates filter.
Virus
HIDS
Misconfigurations
description.
Query ArcSight
Changes/Device/IDS/
Update Summary
Chart - Regulated
Systems
target zone name,
that match the Update
Events filter.
Virus
Failed Anti-Virus
Updates Chart -
Regulated
Systems (MSSP)
customer name and the
Updates filter.
Virus
continued

Update Overview
Chart - Regulated
Systems (MSSP)
customer name, target
zone name, category
filter.
Virus
Failed Anti-Virus
Updates Chart
target zone name and the
Updates filter.
Virus
Update Overview
- Regulated
Systems (MSSP)
customer, target zone
target address, device
vendor, device product,
that have the category
behavior of
/Modify/Content, the
category object of
/Host/Application, the
category device group of
/IDS/Host/Antivirus, and
target assets that are
regulated asset
categories.
Virus
Update Summary
Chart
target zone name,
that match the Update
Events filter.
continued

Top Anti-Virus
Errors
/Success, and the
The query returns the error
name and the number of
times the error occurred.
Virus/Errors
Simple Table
Portrait
Report
Template
Chart and Table
Landscape
landscape.
Report
Template
Table
Chart and Table
Portrait
portrait.
Report
Template
Table
Two Charts One
Table Landscape
to show two charts and a
landscape.
Report
Template
ArcSight System/2 Charts/With
Table
continued

User Configuration Changes
The User Configuration Changes resources provide information about user configuration by identifying
and monitoring user accounts and the hosts/addresses associated with them. This ties a user to
certain IP addresses, MAC addresses, host-names, zones, and so on. The reports cover user account
additions, modifications to those accounts, and account removal.
Monitoring user account activity can show changes to user privileges and roles, as well as user
account creations or deletions. User account privileges should be associated with adding or removing
access to network resources that the user no longer requires, and should be done by an administrator
with the authority to change those privileges. Random account modifications by unexpected sources
are indications of a security concern. Random creation or deletions of accounts are also suspect.
User Configuration Changes Resources
The following table lists all the resources in the User Configuration Changes group.
Monitor Resources
User
Configuration
Modifications
- Today
This query viewer shows
events related to users for
the current day.
Query
Viewer
Changes/
User
Configuration
Modifications
- Yesterday
This query viewer shows
events related to users for
the previous day.
Query
Viewer
Changes/
Password
Changes by
Zone
of the password changes
for the past 30 days.
Changes/User/Accounts
Modified/Password/
Configuration
Changes per
User by Zone
Last Week
This report provides a view
of users that have made
configuration changes over
the past week (sorted by
zone) and the number of
changes each user made.
Changes/User/
Resources that Support the User Configuration Changes Group

Accounts
Deleted by
Host
of user deletions over the
previous 30 days, ordered
by customer, zone, and
system. This report is a part
Monitoring content.
Changes/User/Accounts Deleted/
Password
Changes
This report shows
password changes for the
previous day and groups the
password changes by user,
Modified/Password/
User
Removals -
Last 30 Days
summary of the user
removals over the last 30
days. Focus this report on a
certain zone (use the
FilterBy parameter) to
provide a manageable and
useful data set.
Most
Common
Account
Login Failures
by Attacker
User
(Yesterday)
category object, attacker
address, attacker asset
name, attacker NT domain,
attacker user ID, attacker
user name, attacker zone
name, and the sum of the
aggregated event count.
Changes/User/Asset Tracking/
By User
Account -
Accounts
Deleted
description.
By User
Account -
Accounts
Created
This report generates a
table of all user accounts
created in the last day.
Changes/User/Accounts Created/
Resources that Support the User Configuration Changes Group, continued

VPN User
Account
Creation
This report shows all VPN
user account creations for
the past 30 days. The fields
Target Zone Name, Target
User ID, and Attacker User
Name are renamed Zone,
New Account, and Creator
in the report.
Configuration
Changes per
User Last
Week
This report provides a view
of users that have made
configuration changes over
the past week, sorted by
the number of changes
each user made.
Changes/User/
User Account
Modifications
This report shows an
overview of the user
account modifications for
the past 30 days.
Changes/User/Accounts Modified/
AAA User
Account
Creation
This report shows all AAA
user account creation for
the past 30 days.
User Account
Creation
description.
AAA User
Account
Deletions -
Last 30 Days
This report displays a table
of the AAA user accounts
that have been deleted over
the past 30 days, based on
data collected in the AAA
User Account Deletions
trend. Note: The AAA User
Account Deletions Trend is
User
Administratio
n
This report shows a
summary of user and user
group creation,
modification, and deletion.
Changes/User/

Account
Creation by
Host - Last
Week
of the account creation
events seen over the past
week on your monitored
assets. Note: This report
detects host-local user
account creations, not
authentication service
account creations;
therefore, the report does
not pick up user additions in
the Active Directory. The
Account Creation by Host
trend is not enabled by
default. This report is a part
Monitoring content.
Password
Changes by
System
Modified/Password/
Password
Changes by
User
Modified/Password/
Library Resources
Business
Role
category.
Asset
Category
Impact Analysis
VPN Events This filter identifies events
device group is VPN.
Class Filters
User Account
Modifications
This filter identifies user
account modification
events. The filter is a part of
the Configuration
Monitoring content.
Changes/User/

Configuration
Modifications
on any system or device.
This resource is a part of
the Configuration
Monitoring content.
Monitoring/
User Account
Login
Attempts
This filter uses ArcSight
categories to choose
events that indicate user
login attempts. These might
be successful or failures.
Failed User
Account
Login
Attempts
event categories to identify
failed user account login
attempts.
Successful
Password
Changes
This filter selects events
related to successful
password changes, defined
as having the category
behavior of
/Authentication/Modify and
the category outcome of
success.
Changes/User/
AAA User
Account
Creations
account creation activity on
AAA systems. This filter is
Monitoring content.
Changes/Device/AAA/
User Account
Creations
account addition events.
The filter is a part of the
content.
Changes/User/
events.
Database
Events
/Host/Application/Databas
e.

ArcSight
Events
events generated by
included.
VPN User
Account
Creations
showing VPN user account
creation information. The
filter uses the VPN User
Configuration Activity filter
and looks for the
/Authentication/Add
category behavior.
Changes/Device/VPN/
Identity
Management
Events
in which the Category
Identity Management.
Class Filters
Operating
System
Events
device group is Operating
System.
Class Filters
AAA User
Configuration
Activity
configuration activity on
AAA systems. The filter is a
Monitoring content.
Changes/Device/AAA/
VPN User
Configuration
Activity
configuration activity on
VPN systems. This filter is
a part of the Configuration
Monitoring content.
Changes/Device/VPN/

AAA User
Account
Deletions
account deletion activity on
AAA systems. This filter is
Monitoring content.
Changes/Device/AAA/
Non-ArcSight
Events
events that are not
ArcSight SmartConnectors.
User Account
Deletions
account deletion events.
This filter is a part of the
content.
Changes/User/
User Account
Modifications
- Last 30
Days
description.
Focused
Report
Monitoring/SANS Top 5 Reports/3 -
Unauthorized Changes to Users,
Groups and Services/
Password
Changes
This report shows database
Focused
Report
Password
Changes
This report shows identity
management password
changes for the previous
day and groups the
Focused
Report
Management/
Password
Changes -
Last 30 Days
description.
Focused
Report
Password
Changes
This report shows VPN
Focused
Report
Changes/Device/VPN/

User Account
Deletions -
Last 30 Days
description.
Focused
Report
User Account
Creations -
Last 30 Days
description.
Focused
Report
Password
Changes
This report shows operating
system password changes
for the previous day and
groups the password
changes by user, sorted
chronologically.
Focused
Report
Changes/Device/Operating System/
VPN User
Account
Creation
Trend
This query on events
restricted by the VPN User
Account Creations filter
retrieves the customer,
attacker user name,
attacker zone, target
address, target asset name,
target host name, target Nt
domain, target user ID,
target user name, and target
zone for the VPN User
Account Creation trend.
Changes/User/Creation/
Trend on AAA
User Account
Creation
This query on the AAA User
Account Creation trend
retrieves the customer
name, attacker user name,
attacker zone name, target
zone name for the AAA
User Account Creation
report.

AAA User
Account
Deletions
Trend
customer, attacker user
name, attacker zone, target
domain, target user ID, and
target user name for events
matching the AAA User
Account Deletions filter.
Changes/User/Deletion/
User
Removals
This query retrieves user
account deletion data
(restricted by the User
Account Deletions filter).
AAA User
Account
Creation
Trend
This query retrieves events
passed by the AAA User
Account Creations filter,
returning the customer,
attacker user name,
zone for the AAA User
Account Creation trend.
User
Removals on
Trend
This query retrieves the
user account deletion data
(restricted by the User
Account Deletions filter),
grouped by customer.
Trend on
Password
Modifications
This query returns data from
the Password Modifications
trend for use in the
Password Changes by
<System/User/Zone>
reports.
Changes/User/Modification/Passwor
d/

Password
Changes
This query returns
information related to
successful password
changes, defined as having
the category behavior of
/Authentication/Modify and
the category outcome of
Success.
d/
Account
Creation by
Host on Trend
This query on the Account
Creation by Host trend
provides a listing of the
account creation events
seen within the past week
on your monitored assets.
Note: The Account Creation
by Host trend is not enabled
by default. This query is a
Monitoring content.
User Account
Creation
Trend
restricted by the User
Account Creations filter
returns the customer,
attacker user name,
zone for the User Account
Creation trend.

Account
Creation by
Host
This query provides a listing
events seen within the past
day on your monitored
assets. Note: This query
retrieves host-local user
account creations, instead
of authentication service
account creations so that it
does not retrieve user
additions in the Active
Directory. This query is a
Monitoring content.
User
Configuration
Modifications
previous day of
events related to users.
Changes/
By User
Account -
Accounts
Deleted
description.
Assets with
Recent
Configuration
Modifications
by Vendor
and Product
This query collects
information about a day's
worth of configuration
changes to your various
assets. The data retrieved
includes information about
the asset affected, the
asset causing the change (if
any), and the vendor and
product information about
the asset that was
changed.
Monitoring/Details/

Password
Modifications
Trend
restricted by the Successful
Password Changes filter
returns the attacker user ID,
attacker user name,
address, target asset ID,
target asset name, target Nt
target user name, target
zone, and sums the
aggregated event count for
use in the Password
Modifications trend.
d/
Most
Common
Account
Login Failures
by Attacker
User
(Yesterday)
category object, attacker
Address, attacker asset
name, attacker Nt domain,
attacker user ID, attacker
user name, attacker zone
name, and the sum of the
aggregated event count for
events matching the Failed
User Account Login
Attempts filter.
Accounts
Deleted by
Host Trend
Account Deletions filter
provides a listing of the
users deleted over the time
interval by System & Zone
for the Accounts Deleted by
Host trend.

User Account
Modifications
Trend
The query on events
Account Modifications filter
target zone, target address,
target asset ID, target asset
name, name, target user ID,
target user name,
aggregated event count and
end time for the User
Account Modifications
trend.
Changes/User/Modification/
Trend on User
Account
Modifications
This query on the User
Account Modifications trend
returns data for use in the
User Account Modifications
report.
Changes/User/Modification/
Trend on VPN
User Account
Creation
This query on the VPN User
user ID, and attacker user
name for the VPN User
Account Creation report.
The fields Target Zone
Name, Target User ID, and
Attacker User Name are
renamed Zone, New
Account, and Creator in the
report.
Trend on User
Account
Creation
This query on the User
returns the customer,
attacker user name,
zone for the User Account
Creation report.

By User
Account -
Accounts
Created
This query retrieves events
meeting the conditions
Category Behavior =
/Authentication/Add and
Category Outcome =
/Success, selecting End
Time, Target User Name,
Attacker User Name,
Name, Target Zone Name
and Target Host Name for
the By User Account -
Accounts Created report.
User
Administratio
n (Chart)
This query returns the count
of user (and user group)
creations, modifications,
and deletions.
Users That
Performed
Configuration
Modifications
Past Week
This query retrieves a list of
the users that performed
to assets in the past week.
Changes/User/
User
Administratio
n
This query returns the user
(and user group), creation,
modification, and deletion
events.
AAA User
Account
Deletions on
Trend
This query retrieves the
customer, attacker user
name, attacker zone, target
domain, target user ID, and
target user name from AAA
User Account Deletions
trend. Note: The AAA User
Account Deletions trend is
Simple Table
Portrait
show a table. The
Report
Templat
e

Chart and
Table
Landscape
The orientation is
landscape.
Report
Templat
e
Simple Table
Landscape
show a table. The
Report
Templat
e
Chart and
Table Portrait
The orientation is portrait.
Report
Templat
e
User
Removals
This trend collects user
account deletion data,
Account Deletions filter.
Monitoring/User Account
Modifications/
AAA User
Account
Deletions
This trend collects
information about AAA User
Accounts that have been
deleted. Note: This trend is
Modifications/
Account
Creation by
Host
This trend collects a listing
events seen over the past
day on your monitored
assets. Note: The query
retrieves host-local user
account creations instead
of authentication service
account creations so that
the trend does not collect
user additions in the Active
Directory. Note: The trend
data fields are renamed for
clarity when creating
reports. This trend is not
enabled by default.
Modifications/

Password
Modifications
This trend collects data for
monitoring password
changes, including the ID
for which the password was
changed and the ID of the
user making the change.
Note: This trend is not
enabled by default.
Modifications/
VPN User
Account
Creation
This trend collects
creation of VPN user
accounts. Note: This trend
is not enabled by default.
Modifications/
User Account
Creation
the User Account Creation
report.
Modifications/
User Account
Modifications
This trend collects data
relevant to tracking
modifications to user
accounts, specifically for
the User Account
Modifications report.
Modifications/
Assets with
Recent
Configuration
Modifications
(Daily)
This trend retrieves
changes to assets within
the last day and stores
change itself as well as who
made the change.
Change Tracking/
AAA User
Account
Creation
the AAA User Account
Creation report. Note: This
trend is not enabled by
default.
Modifications/

Vulnerabilities
The Vulnerabilities resources provide an overview about current vulnerabilities on systems.
Devices
Vulnerability scanners can supply events that apply to the Vulnerabilities resource group.
Vulnerabilities Resources
The following table lists all the resources in the Vulnerabilities group.
Monitor Resources
High-Priority
Scan Events
Directed
Toward
High-
Criticality
Assets -
Today
This query viewer
displays today's
scan results for a
view into high-
priority
vulnerabilities
detected on highly-
critical assets.
Query
Viewer
Monitoring/Operational Summaries/Asset
Vulnerability Scans/
High-Priority
Scan Events
Directed
Toward
High-
Criticality
Assets -
Yesterday
This query viewer
displays
yesterday's scan
results for a view
into high-priority
vulnerabilities
detected on highly-
critical assets.
Query
Viewer
10 Most
Vulnerable
Assets in
Confidential
Data Group
This resource has
no description.
Monitoring/Details/Vulnerabilities/
Resources that Support the Vulnerabilities Group

Exposed
Vulnerabilitie
s by Zone
Trend - Last
90 Days
a chart view of the
exposed
vulnerabilities
across your top
vulnerable zones
over the course of a
week. If you patch
on a monthly or
longer basis, use
the reports with
longer periods.
Monitoring/Details/Vulnerabilities/Crit
ical Assets/
High-Priority
Vulnerabilitie
s Detected
on Critical
Assets -
Yesterday
scan events from
yesterday where the
priority of the scan
event is greater than
5 (fairly severe) and
the target asset has
been categorized
with a high or very-
high criticality.
Exposed
Vulnerabilitie
s by Asset
This report shows a
table of exposed
vulnerabilities by
asset.
Top 10
Assets by
Exposed
Vulnerability
Counts
This resource has
no description.
Resources that Support the Vulnerabilities Group, continued

Vulnerability
Exposure by
Asset
Criticality -
Current
Month
a weekly view into
the vulnerability
exposure trend of
your critical assets
for the current
month. Note: If you
run this report
before the first trend
run of the month,
there will be no
data.
ical Assets/
Exposed
Vulnerability
Count by
Asset
This report lists the
count of
vulnerabilities per
asset and the ten
assets with the
most exposed
vulnerabilities.
All
Vulnerabilitie
s in Email
and Web
Server
Assets
This resource has
no description.
Exposed
Vulnerabilitie
s by Zone
Trend - Last
Month
a chart view of the
exposed
vulnerabilities
across your top
vulnerable zones
month. If you patch
on a monthly or
longer basis, use
the reports with
longer periods.
ical Assets/

Exposed
Vulnerabilitie
s by Zone
Trend - Last
Week
a chart view of the
exposed
vulnerabilities
across your top
vulnerable zones
week. If you patch
on a monthly or
longer basis use the
reports with longer
periods.
ical Assets/
Top 10
Exposed
Vulnerabilitie
s by Asset
Counts
This resource has
no description.
Blaster
Vulnerable
Hosts
This resource has
no description.
All Exposed
Vulnerabilitie
s
This resource has
no description.
Top
Vulnerability
Exposure of
Critical
Assets
the top 1000 assets
by vulnerability
count for the past
seven days from the
Top Vulnerability
Exposure of Critical
Assets trend. Note:
If you have fewer
than 1000 assets,
there might be more
than seven days
worth of data
selected.
ical Assets/
Vulnerabilitie
s of Assets
in North
America
This resource has
no description.

Warning -
Vulnerable
Software
This rule detects
vulnerable software.
The rule triggers
whenever a
vulnerable
application or
operating system is
found. The
vulnerability should
not be a scan
vulnerability. On the
first event, a
notification is sent
to SOC operators.
Monitoring/Detail/Vulnerabilities/
Warning -
Insecure
Configuratio
n
This rule detects
insecure object
configuration. The
rule triggers
whenever an
insecure object is
found or a security
check fails. On the
first event, a
notification is sent
to SOC operators.
Library Resources
Address
Spaces
category.
Asset
Category
Protected This is a site asset
category.
Asset
Category
Site Asset Categories/Address Spaces
Port 135 This is a site asset
category.
Asset
Category
Site Asset Categories/Open Port/TCP
Web Server This is a site asset
category.
Asset
Category
Site Asset Categories/Application/Type
category.
Asset
Category
Email This is a site asset
category.
Asset
Category
Site Asset Categories/Application/Type

category.
Asset
Category
Criticality This is a system
asset category.
Asset
Category
Confidential
Data
category.
Asset
Category
Site Asset Categories/Business Impact
Analysis/Data Role
High This is a system
asset category.
Asset
Category
System Asset Categories/Criticality
North
America
category.
Asset
Category
Site Asset Categories/Location
Very High This is a system
asset category.
Asset
Category
System Asset Categories/Criticality
High-Priority
Scan Event
for Critical
Asset
vulnerability scan
events that indicate
that a high-priority
vulnerability was
detected on a
system you have
marked with high or
very-high criticality.
All Events This filter matches
all events.
Vulnerability
Exposure by
Asset
Criticality -
Last 3
Months
a weekly view into
the vulnerability
exposure trend of
for the previous 3
months. This report
is based on the
Vulnerability
Exposure by Asset
Criticality - Current
Month report.
Focused
Report
ical Assets/
Exposed
Vulnerability
Count by
Critical
Asset
This report shows a
table of exposed
vulnerabilities on
assets categorized
as high criticality.
Focused
Report
ical Assets/

Vulnerability
Exposure by
Asset
Criticality -
Last 6
Months
a weekly view into
the vulnerability
exposure trend of
for the previous 6
months. The report
is based on the
Vulnerability
Exposure by Asset
Criticality - Current
Month report,
Focused
Report
ical Assets/

Vulnerability
Exposure by
Asset
Criticality -
Trend Query
- Snapshot
This query on
assets that have
been categorized
under /All Asset
Categories/System
Asset
Categories/Criticalit
y, returns the
address, device
zone ID, device
zone name, name, a
count of
vulnerability, and
the GetCriticality
variable for the
Vulnerability
Exposure by Asset
Criticality trend.
Note: This query
returns up to 10,000
(the default Row
Limit) assets with
the highest number
of vulnerabilities
(ORDER BY
COUNT
(Vulnerability)
DESC. If you are
using this query to
populate a trend (as
in the Vulnerability
Exposure by Asset
Criticality trend that
is part of the
Configuration
Monitoring Standard
Content), this Row
Limit will be
overridden by the
Row Limit of the
trend when it runs.
ical Assets/

10 Most
Vulnerable
Assets in
Confidential
Data Group
This resource has
no description.
Top 10
Assets by
Exposed
Vulnerability
Counts
This query counts
the vulnerabilities
for each asset that
is categorized under
/All Asset
Categories/System
Asset
y and returns the ten
assets with the
most vulnerabilities.
High-Priority
Scan Events
Directed
Toward
High-
Criticality
Assets
This query returns
yesterday's scan
results for a view
into high-priority
vulnerabilities
detected on highly-
critical assets.
Vulnerability
Exposure of
Critical
Assets on
Trend
the top 1000 assets
by vulnerability
count from the
Vulnerability
Assets trend, to be
used in the Top
Vulnerability
Assets trend.
ical Assets/

Exposed
Vulnerabilitie
s by Zone
Trend - Last
Week
This query on the
Vulnerability
Exposure of High
and Very-High
Criticality Assets by
Zone - Trend Query
returns the count of
vulnerability, device
zone name, and
timeStamp for the
Exposed
Vulnerabilities by
Zone Trend -
<various time
periods> reports.
ical Assets/
All Exposed
Vulnerabilitie
s
This resource has
no description.
Top 10
Exposed
Vulnerabilitie
s by Asset
Counts
This resource has
no description.
Vulnerabilitie
s of Assets
in North
America
This resource has
no description.

Exposed
Vulnerabilitie
s - High and
Very High
Criticality
Assets by
Zone - Trend
Query
This query tracks
how many
vulnerabilities highly
and very-highly
critical systems
have over time, by
zone. The query is
most often used
directly by a trend to
store a daily
snapshot of the
information. To
reduce storage
requirements, this
query only retrieves
a count of the
number of
vulnerabilities in
these zones, not the
full list of
vulnerabilities.
ical Assets/
Exposed
Vulnerability
Count by
Asset
This query counts
the vulnerabilities
for each asset that
is categorized under
/All Asset
Categories/System
Asset
y.
All
Vulnerabilitie
s in Email
and Web
Server
Assets
This resource has
no description.

Top
Vulnerability
Exposure of
Critical
Assets on
Trend
This query returns
the top 1000 assets
by vulnerability
count for the past
seven days from the
Top Vulnerability
Assets trend for the
Top Vulnerability
Assets report.
ical Assets/
Blaster
Vulnerable
Hosts
This resource has
no description.
Vulnerability
Exposure by
Asset
Criticality
a set of snapshot
points providing
vulnerability counts
for critical assets.
ical Assets/
Exposed
Vulnerabilitie
s by Asset
This query lists the
vulnerabilities for
each asset, up to
10,000
asset/vulnerability
tuples.
High-Priority
Vulnerabilitie
s Detected
on Critical
Assets -
Yesterday
scan events from
yesterday where the
priority of the scan
event is greater than
five (fairly severe)
and the target asset
has been
categorized as high
or very-high
criticality.

Exposed
Vulnerabilitie
s - High and
Very High
Criticality
Assets -
Trend Query
This query tracks
how many
and very-highly
critical systems
have over time. The
query is most often
used directly by a
trend to store a daily
snapshots of the
information. To
reduce the storage
requirements, this
query only retrieves
a count of the
number of
vulnerabilities on
these assets, not
the full list of
vulnerabilities.
ical Assets/
Simple
Table
Portrait
This template is
designed to show a
table. The
orientation is
portrait.
Report
Template
Simple
Table
Landscape
This template is
designed to show a
table. The
orientation is
landscape.
Report
Template
Chart and
Table
Landscape
This template is
designed to show
one chart and a
table. The
orientation is
landscape.
Report
Template
Simple
Chart
Landscape
This template is
designed to show
one chart. The
orientation is
landscape.
Report
Template
ArcSight System/1 Chart/Without Table

Vulnerability
Exposure by
Asset
Criticality
This trend provides
a weekly snapshot
of the vulnerability
counts of assets
marked as having
criticality. The
default snapshot
size (Row Limit) for
this trend is 50,000.
If you have
significantly more
assets than this,
increase this
number to match
your environment.
Note: You do not
need to adjust the
Row Limit for the
query that feeds this
trend (Vulnerability
Exposure by Asset
Criticality - Trend
Query - Snapshot),
the trend overrides
the query's Row
Limit parameter
when it runs.
Monitoring/Vulnerability Tracking/

Vulnerability
Exposure of
High and
Very-High
Criticality
Assets by
Zone - Daily
Trend
This trend collects a
weekly snapshot of
the assets used to
track how many
and very-highly
critical systems
have over time, by
zone. To reduce
storage
requirements, this
trend only collects a
count of the number
of vulnerabilities in
these zones, not the
full list of
vulnerabilities.
Note: This trend is
not enabled by
default.
Vulnerability
Exposure of
Critical
Assets
This trend collects
daily statistics on
the vulnerability
exposure of your
assets that have
been categorized as
highly or very-highly
critical. The trend
includes information
about the asset and
a count of the
number of
vulnerabilities it
currently exposes.

Top
Vulnerability
Exposure of
Critical
Assets
This trend collects
the top 1000 assets
by vulnerability
count from the
Vulnerability
Assets trend, to be
used in the Top
Vulnerability
Assets report.
CVE - CAN-
2003-0605
This resource has
no description.
Vulnerabilit
y
CVE

Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by email. If an
email client is configured on this system, click the link above and an email window opens with the
following information in the subject line:
Feedback on Configuration Monitoring Standard Content Guide (ESM 6.8c)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail client, and
send your feedback to arc-doc@hp.com.
We appreciate your feedback!

ArcSight Core, ArcSight Administration, and ArcSight System Standard Content Guide for ESM 6.8c

More Related Content

What's hot (20)

Similar to ArcSight Core, ArcSight Administration, and ArcSight System Standard Content Guide for ESM 6.8c (20)

More from Protect724migration (20)

Recently uploaded (20)

ArcSight Core, ArcSight Administration, and ArcSight System Standard Content Guide for ESM 6.8c